Mappers are your friend.
In the data Keycloak gets from Google (most likely a token, with username, email, etc…) the roles and groups should be contained (if not, see how you add them on the Google side). Then, you can map the data from the Google-token to the Keycloak model and use claim-to-group mappers and similar.
It’s a mapper of the IdP, has nothing to do with the client.
I don’t know this advanced mapper, I do group mapping with an Azure AD IdP with regular claim-to-group mapper since a few versions already, so, no need to use KC17, although you always should use the most recent version.
If I did manage to get back the groups info, then I get stuck again, since I can find no way to add a User into a KeyCloak group or add a role based on anything in the token.
Is my only choice to use a SPI to call out to Google, get the Groups, and then have the SPI add the user to a group/role based on that response?
Is this my only option? Has this been done before?
I am also facing the same issue. I don’t find how to map google roles to keycloak. I am surprised that it is such a basic thing and there is no documentation for it
Basically in Keycloak - for the Google Identity Provider – create a mapper to inject the Google Groups – you can map it to whatever you wish in Keycloak. NB: this is subject to Google actually release group information.